As part of our security measurement work since March 2005 we've been tracking
how the Red Hat Security Response Team first found out about each vulnerability
we fix. This information is interesting as can show us which
relationships matter the most, and identify trends in vulnerability disclosure.
So for two years to March 2007 we get the following results (in percent):

I've separated the bars into two sections; the red sections are where
we get notice of a security issue in advance of it being public (where
we are told about the issue 'under embargo'). The grey sections
are where we are reacting to issues that are already public.

The number of issues through researchers and co-ordination centers seem lower
than perhaps expected, this is because in many cases the researcher will tell a
group such as vendor-sec rather than each distributor separately, or the
upstream project directly.

[ 1 ]

Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.